Netfilter Overview

TomEastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“GNU Free Documentation
License”.

Netfilter Overview

Netfilter consists of three tables: Filter, Nat and
Mangle. Each table has a number of
build-in chains: PREROUTING, INPUT, FORWARD,
OUTPUT and POSTROUTING.

Rules in the various tables are used as follows:

Filter

Packet filtering (rejecting, dropping or accepting
packets)

Nat

Network Address Translation including DNAT, SNAT and
Masquerading

Mangle

General packet header modification such as setting the TOS
value or marking packets for policy routing and traffic
shaping.

Raw

Used primarily for creating exemptions from connection
tracking with the NOTRACK target. Also used for stateless
DNAT.

Rawpost

Used for stateless SNAT.

The following diagram shows how packets traverse the various builtin
chains within Netfilter. Note that not all table/chain combinations are
used.

“Local Process” means a process running on the
Shorewall system itself.

A more elaborate version of this flow is available here and
this one
contrasts the Netfilter flow with that of ipchains.

In the above diagram are boxes similar to this:

The above box gives the name of the built-in chain (INPUT) along with the names of the tables
(Mangle and Filter) that the chain exists in and in the order
that the chains are traversed. The above sample indicates that packets go
first through the INPUT chain of the
Mangle table then through the INPUT chain of the Filter table. When a chain is enclosed in
parentheses, Shorewall does not use the named chain (INPUT) in that table (Mangle).

Important

Keep in mind that chains in the Nat table are only
traversed for new connection requests (including those
related to existing connections) while the chains in the other tables
are traversed on every packet.

The above diagram should help you understand the output of
“shorewall dump”. You may also wish to refer to this article that describes the flow of
packets through a Shorewall-generated firewall.

Here are some excerpts from “shorewall dump” on a
server with one interface (eth0):